by Andrew Gray, Client Services Director, Conscious Solutions 

The Legal Landscape  – How did we get here?

Personal Details
For years there has been legitimate concern over the use and exchange of personal information (eg name, address, age) – this was addressed in the Data Protection Act (DPA) of 1998. Most people have heard about the Act and appreciate the need for it. The Act deals with a wide range of issues to do with the collection, storage and exchange of “personal data” and applies regardless of how the information is obtained (ie The Act certainly covers data gathered via the Internet but is not restricted to it).

Behavioural Data
More recently, concern has grown over a rather different form of personal information that can best be described as “behavioural data”. This is information that can be derived about you without necessarily knowing exactly who you are. If you visit three different websites that all happen to carry advertising delivered by the same advertising network then it is possible for that network to track the fact that you have used all three sites and derive some knowledge from that which could be commercially valuable. For example, the advertising network might use the information to determine what advertisements to display to you.

What’s the Problem?
The EU Directive ended up being written quite broadly – it is not limited to the use of cookies by advertising networks (so called “third party cookies”) it applies equally to all cookies and even to other non-cookie-based technologies that might be used to identify a User.

What are Cookies?

A cookie is used by a website to send ‘state information’ to a User’s browser and for the browser to return the state information to the website. The state information can be used for authentication, identification of a User session, User preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the User’s computer.

Cookies are used extensively – almost all sites use them in order to track anonymous Users (i.e. Users who have not registered or logged in). Why? Because it’s helpful to know how many people are using your site and how they navigate through the site (you track them as a unique “visitor” even though you make no effort to try to identify them in person). But that the current legislation states that explicit consent must be obtained before any cookie is set. The User must also be given an ability to opt-out from having cookies stored on their computer.

When did the law change and who enforces it?

The original EU legislation that became known as the “E-Privacy Directive“ was published in 2003 and implemented as European Directive – 2002/58/EC.  It was concerned quite widely with the protection of privacy in the electronic communications sector. In 2009 the Directive was amended by Directive 2009/136/EC that included a change requiring consent for storage or access to information stored on a subscriber or users terminal equipment – in other words a requirement to obtain consent for cookies and similar technologies.

The EU Directive entered UK law on 26th May 2011 as “The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011”. It is regulated by the Information Commissioner’s Office (ICO) www.ico.gov.uk.

The ICO quickly issued guidance notes saying that they would give industry one year to comply with the new law – ie until 25th May 2012.

In December 2011 the ICO issued more detailed guidance notes which clarified what UK industry was expected to do in order to comply with the new legislation.

Are  modifications to T&C’s or Privacy Policies not sufficient?

No. The Data Protection Act (DPA) of 1998 used to govern the management of information by website. As a website owner, it meant that you had to publish clear policies about the collection of information and the use of cookies. The result was a few million “Privacy Policies” got added to websites and not a lot else. The policy at the time was easy to implement, it did not require an “opt-in” or an “opt-out” but simply a “disclaimer” in the form of a privacy policy or modifications to Terms and Conditions.

What visual changes need to be made to comply?

The changes we are making to our Content Management System (CMS) are designed to implement the approach recommend by the ICO on page 16 of their guidance notes. Here’s a summary of what we are planning on doing to ensure our clients stay on the right side of the law:

(1) New “Privacy Options” tab: We will add a sliding, horizontal tab to the visible portion of your homepage that alerts users to the new legislation and invites them to click for more information. Your homepage will display in the normal fashion, but after two seconds the “Privacy Options” button tab will slide into view from the right-hand edge of the screen. It will stay for a few seconds and then disappear.

Clicking on the tab will open a new window containing privacy control options as well as links for more information.

The Privacy Options tab only appears on the homepage of the site and will appear every time the page is visited unless a Privacy Options Cookie has already been set (ie the tab will continue to appear until the User has answered the question – either Yes or No).

(2) Footer panel with “Opt-in” and “Opt-out”:  We will also add a discrete panel of information to the very bottom of the page. The panel will provide users with buttons for “opt-in” and “opt-out” as well as a links to more information that will be held on the Privacy Page.
The ICO recommend the following format:

(3) Updates to Privacy Policy and Terms & Conditions: These will need to be modified to explain the use of cookies and to make reference to the new legislation. We will supply  “compliant” text for this so you will only need to review it.

The Privacy Options tab does not need to appear on every page of the site and we believe that it would be irritating and unnecessarily intrusive if it did. The purpose of the tab is to promote the existence of the new controls. Compliance is achieved satisfactorily by a combination of “promotion” (having the Privacy Options tab appear in the visible portion of the homepage) and “control” by having the Privacy Options panel appear in the footer of every page of the site.

What happens if Users click “I agree” in order to opt-in?

If Users opt-in, then the site will record this by setting a Cookie Preference Cookie. The site will work in very much the same way as it does today. The consent question that appears in the footer of every page of the site will change to indicate that consent has been granted (and to give Users the ability to change this (i.e. to opt-out) if necessary.

What happens if Users click “No thanks” in order to opt-out?

If Users opt-out then the site will record this by setting a Cookie Preference Cookie. The consent question that appears in the footer of every page of the site will change to indicate that consent has been denied (and to give Users the ability to change this ie to opt-out).  If the User attempts to use a service that requires cookies (e.g. login to an Extranet or use Billpay or SecureForms) the User will be redirected to a page that explains that the service requires cookies and invites them to change their settings.

What happens if Users do not answer?

If Users ignore the question it’s OK to give them cookies. They will not be given a Cookie Preference Cookie because they have not answered the question but the site will behave as if they had answered “I agree” – the site will set cookies as necessary.

I have multiple websites – does the User need to indicate consent multiple times?

In theory “No” – if the User indicates their consent on one of our sites you can assume that they have given consent to your other sites. However, in practice the answer is “Yes” because it is not technically possible because cookies can only be read from the current domain. For example, a cookie set by a process running on www.site1.com cannot be read by a process running on www.site2.com or vice versa (this security is built into all browsers).

Can’t Users simply be told to opt-out using their browser settings?

No – the guidance notes issues by the ICO are very clear about this point. They do not consider it sufficient to rely on Users knowing how to change their cookie preferences. They are right about this – not many users know that the controls exist let alone how to change them.

What will the impact be on my Google Analytics reports?

Google Analytics uses cookies to identify Users and distinguish between different sessions. If a User decides to opt-out (ie to reject cookies) the normal Google Analytics code not be inserted into any page that they visit. The net result is that your Google Analytics reports will be less complete.  However, much of the value derived from Google Analytics comes from the study of trends and relative figures (e.g. this link is twice as popular as that link).  We believe that the validity of this data will be relatively unaffected by these changes, but that the absolute values will drop significantly.

* For a more extensive whitepaper, including some screenshots of how we see this working in practice go to www.conscious.co.uk/cookies